Understand data lifecycle - third party sharing
Third-party sharing is the sharing or onward disclosure of data to third parties. Discussed below are ways in which Microsoft may share data. In all cases, Microsoft will only share data when authorized by the customer or required to do so by applicable law.
Subprocessing
Microsoft processes data as part of providing cloud services to our customers. We categorize the data we process to ensure it is handled with appropriate security and privacy protections. Categories of data processed by Microsoft are defined in the Microsoft Online Services Data Protection Addendum (DPA).
When Microsoft hires a supplier to provide some aspect of our online services that may require the supplier to use or process such data, the supplier is identified as a "subprocessor." All subprocessors must adhere to the Microsoft Supplier Security and Privacy (SSPA) Assurance program before being allowed to process data on behalf of Microsoft.
The Microsoft SSPA program is a corporate program designed to standardize and strengthen data handling practices by setting privacy and security requirements for Microsoft suppliers. The SSPA program requires suppliers to demonstrate compliance with Microsoft's strict privacy and security policies, legal obligations, and customer expectations. To protect customer and personal data, Microsoft requires all subprocessors to comply with the SSPA program.
Third-party offerings
Customers can use third-party offerings available through platforms such as the Office and SharePoint app stores as additional optional services. The IT Administrator will determine if its end users may use these additional offerings. Some of these services are operated by Microsoft Corporation and some are operated by third-party app publishers. Third-party apps are subject to the app publisher's terms and conditions and privacy statements. Customers will need to evaluate the risks of using third-party offerings relative to their business priorities.
Law enforcement requests
Microsoft does not give any government (including law enforcement or other government entities) direct or unfettered access to customer data. If any third party wants customer data, it needs to follow applicable legal process, meaning it must serve us with a valid legal request for content or subscriber information or other non-content data. For non-governmental requests, we require specific lawful consent of the account owner to release content and, for all requests, we provide notice to the account owner unless prohibited by law from doing so. Microsoft does not provide any government with platform encryption keys or provide governments with the ability to break customer enabled encryption.
If a government wants customer data, it must follow applicable legal processes, which include:
- All legal demands for customer data must target specific accounts and identifiers.
- Microsoft's legal compliance team reviews all legal demands to ensure they are valid, rejects the ones that are not valid, and only provides specific data in response.
- If Microsoft is compelled by law to disclose customer data, the customer will be promptly notified and provided with a copy of the legal demand, unless Microsoft is legally prohibited from doing so.